rpms
/
kernel
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix CVE-2010-3079: ftrace NULL pointer dereference

This commit is contained in:
Chuck Ebbert 2010-09-14 23:03:13 -04:00
parent 5bfd09461d
commit fac9fd36ec
2 changed files with 60 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
kernel.spec
View File

@ -805,6 +805,9 @@ Patch12542: setup_arg_pages-diagnose-excessive-argument-size.patch
# CVE-2010-3080
Patch12550: alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch
# CVE-2010-3079
Patch12560: tracing-do-not-allow-llseek-to-set_ftrace_filter.patch
%endif
BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@ -1519,6 +1522,9 @@ ApplyPatch setup_arg_pages-diagnose-excessive-argument-size.patch
# CVE-2010-3080
ApplyPatch alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch
# CVE-2010-3079
ApplyPatch tracing-do-not-allow-llseek-to-set_ftrace_filter.patch
# END OF PATCH APPLICATIONS
%endif
@ -2141,6 +2147,9 @@ fi
%changelog
* Tue Sep 14 2010 Chuck Ebbert <cebbert@redhat.com> 2.6.34.7-57
- Fix CVE-2010-3079: ftrace NULL pointer dereference
* Tue Sep 14 2010 Chuck Ebbert <cebbert@redhat.com>
- Fix CVE-2010-3080: /dev/sequencer open failure is not handled correctly
* Tue Sep 14 2010 Chuck Ebbert <cebbert@redhat.com>

51
tracing-do-not-allow-llseek-to-set_ftrace_filter.patch Normal file
View File

@ -0,0 +1,51 @@
From: Steven Rostedt <srostedt@redhat.com>
Date: Wed, 8 Sep 2010 15:20:37 +0000 (-0400)
Subject: tracing: Do not allow llseek to set_ftrace_filter
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=9c55cb12c1c172e2d51e85fbb5a4796ca86b77e7
tracing: Do not allow llseek to set_ftrace_filter
Reading the file set_ftrace_filter does three things.
1) shows whether or not filters are set for the function tracer
2) shows what functions are set for the function tracer
3) shows what triggers are set on any functions
3 is independent from 1 and 2.
The way this file currently works is that it is a state machine,
and as you read it, it may change state. But this assumption breaks
when you use lseek() on the file. The state machine gets out of sync
and the t_show() may use the wrong pointer and cause a kernel oops.
Luckily, this will only kill the app that does the lseek, but the app
dies while holding a mutex. This prevents anyone else from using the
set_ftrace_filter file (or any other function tracing file for that matter).
A real fix for this is to rewrite the code, but that is too much for
a -rc release or stable. This patch simply disables llseek on the
set_ftrace_filter() file for now, and we can do the proper fix for the
next major release.
Reported-by: Robert Swiecki <swiecki@google.com>
Cc: Chris Wright <chrisw@sous-sol.org>
Cc: Tavis Ormandy <taviso@google.com>
Cc: Eugene Teo <eugene@redhat.com>
Cc: vendor-sec@lst.de
Cc: <stable@kernel.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
index 7cb1f45..83a16e9 100644
--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
@@ -2416,7 +2416,7 @@ static const struct file_operations ftrace_filter_fops = {
.open = ftrace_filter_open,
.read = seq_read,
.write = ftrace_filter_write,
- .llseek = ftrace_regex_lseek,
+ .llseek = no_llseek,
.release = ftrace_filter_release,
};